Field of the Invention
The present invention relates to a system that ensures real-time network-based vulnerability assessment of an enterprise/consumer host/device. The present invention also provides a method of implementing the system to ensure real-time network-based vulnerability assessment of the host/device.
Description of the Related Art
Vulnerability Assessment (VA)
A host (or a device) connects to a network by running one or more network accessing processes, typically called network services. A network service is so called because the service provides some service to the user of the host (or the device) that entails communication to and from the some other host/device on the network; for instance, a service could be a mail service provided by a mail server, or a chat service provided by a chat client/server. These service processes access the underlying network interface software to provide the required service(s) to the users. For instance in the TCP/IP protocol, a popular networking protocol, if the use of the Sockets utility is considered, a utility that is usually used to access the network, these services either access a network port actively by making a connect call to access another service on another machine across the network—one having a different IP address—or wait passively by making listen and accept calls for another process on the network running on a different host or a device to connect to this service. A port is a logical abstraction that denotes an endpoint on each of the two machines which have a logical connection between them. Different TCP and UDP services run on different ports. Protocols other than TCP and UDP have other paradigms to access the network.
For instance, a network service such as ping that uses the ICMP protocol does not entail the use of ports.
There could be a security breach in a service made from across the network if there is security vulnerability in the service. Security vulnerabilities could be of different kinds: for instance there could be a vulnerability in the software of the executable that comprises of the service itself; several kinds of vulnerabilities are known; for instance a service could have a buffer overflow vulnerability [2] [Counter Hack, A step-by-step Guide to Computer Attacks and Effective Defenses, Ed Skoudis, Prentice Hall (2002)] in it, or it could have a hidden backdoor [2] [Counter Hack, A step-by-step Guide to Computer Attacks and Effective Defenses, Ed Skoudis, Prentice Hall (2002)]. The Common Vulnerabilities and Exposures (CVE) [3] [http://cve.mitre.org] list keeps track of known vulnerabilities in standard network service programs offered by well-known vendors. It is also possible that the software itself might not have any vulnerability but the service is configured in such a way to lend itself to security vulnerability. For instance, the popular UNIX based sendmail service could be configured to enable relaying, whereby users can use the particular sendmail server to send spam to other users. It is also possible that a hacker has planted a listening backdoor to which he/she can connect from outside. Other security breaches in a service could be made via a denial-of-service attack conducted on the service. In a denial-of-service attack, the port on which the service is running or the host itself—or the host itself in case of services not running on any ports—is flooded with packets so as to exhaust the resources (bandwidth and/or memory) available for a genuine party across the network to access the service or for the service to have access to a genuine party across the network. Genuine here refers to the users who are not flooding the service with a denial-of-service attack, and want to connect to the host to avail of the particular offered service.
Vulnerability assessment (VA) is the process of finding out if the network services that run on a host have vulnerabilities that are prone to security violations of the above kind.
Vulnerability assessment tools are of two kinds: host-based and network-based.
Host-based vulnerability assessment is done by running a VA tool on the host itself and it can find vulnerabilities in all the services that the host runs, not necessarily just services accessible remotely. Network-based vulnerability assessment is done by running a vulnerability assessment tool to access the target host from across the network and it can thus find vulnerabilities in the network services remotely. In this invention, network-based vulnerability assessment is only considered. (Target here refers to the host or device the vulnerability of which is to be assessed.) Future references to vulnerability assessment in this description or in the claims, would imply network-based vulnerability assessment unless specified otherwise. The (network-based) vulnerability assessment itself is usually carried in two stages: the first stage comprises of finding out which services are running and the second stage comprises running scripts to do vulnerability assessment on these services. Part of the first stage consists of port scanning. Port scanning is the process of figuring out if a particular port on the target host is open, and this is done by sending various kinds of packets to the port. These packets could include among others TCP SYN, and ACK packets, UDP packets etc. Depending on the response received, the port scanner concludes if the particular port is open or not; in other words, if there is a service listening on the particular port. The other part of the first stage involves finding out whether other services—ones not associated with any port—such as ICMP services are running on the host machine. The second part of the first stage involves running scripts to identify the services that are listening on the various open ports found. This is done by giving commands to read the banners of these services remotely.
The second stage in Vulnerability assessment involves running the scripts to figure out vulnerabilities in the services found in the first stage.
A VA tool generally has a list of scripts, one each to test for each vulnerability. For each of those ports which are open as found in the port scanning stage, the VA tool runs scripts to figure out which service may be running on the port, and then runs the scripts to test for the presence of those vulnerabilities pertaining to the particular service(s). In this way, the VA tool finds out if a particular vulnerability among the list of vulnerabilities for which it has scripts exists in the service.
VA tools also find vulnerabilities in network services that are not bound to any port. As mentioned before, this involves sending packets such as ICMP packets to figure out if there are network services that are not bound to any port running on the host in the first stage. The second part would again entail running a script to send various specially carved packets to test for vulnerabilities in these services.
The pertinent point about VA tools is that they do not discover new vulnerabilities in a service on the fly. They only check for and detect previously known vulnerabilities (those whose signatures they know of) in services running on the target host. Most VA tools have a provision for updating and augmenting their vulnerability scripts so as to include testing for latest and newly discovered vulnerabilities in services.
SATAN [4] [Practical Unix and Internet Security, Simson Garfinkel and Gene Spafford, 2 nd Edition, 1996, Oreilly] was one of the first VA tools developed. Now, there are many open-source as well as proprietary VA tools available. Prominent among them are products from eEye Digital security, Nessus, NetIQ, Network Associates, Patchlink, Harris, Cisco, Bindview and Internet Security Systems.
VA tools are generally run once in a while; typically security managers run these tools once a month or once in a few weeks or once a day depending on the security policy of the enterprise.
The following are the factors concerning VA tools and the target host relevant to this invention.
On any host/device in an enterprise network, as users use the host, they start and stop various network services (in the case of TCP and UDP services, a port is associated with these services) in the course of their work. For instance, a user might start a chat software such as Yahoo messenger; another user may share his/her files through an SMB share, or another user might start an ftp server to share files. As users start new services or reconfigure existing services, they can make these services vulnerable provided these services have in them the kind of vulnerabilities described in the above section. Thus, the vulnerability status of a host changes dynamically as a function of time.
Given that a security policy of an enterprise dictates that VA tools be run once in a few days/weeks or months, and VA tools are run as per above, the vulnerability status of the host is not checked in the intermediate time period, that is between two runs of a VA tool. (To be precise, it is possible for an enterprise to have a security policy that mandates running vulnerability assessment tools all the time except that this would take a whole lot of bandwidth and could make normal working of the system difficult.) As new services get started and stopped and reconfigured all the time, vulnerabilities go undetected in the host and the host is prone to attacks.
Thus, it becomes important to make sure that not just vulnerabilities in services are detected once in a while (as and when VA tools are run as per current security policies), but that vulnerabilities should be detected the moment they occur or are manifested. This then is the one of the themes of the invention described here. (The invention is described in detail in the subsequent sections.) The invention tracks—via deploying of an agent—the start of services in real-time, and detects the vulnerabilities found in the services in real-time. The above is carried out by monitoring the status of ports—whether open or not—on the various active interfaces of the host/device. Vulnerabilities produced due to reconfiguration of services are also detected in real-time. (Here the assumption is that to reconfigure a service, one must stop it and then start it again.) Even backdoors are detected in real-time. A backdoor is a listening service that a hacker might plant on a machine, through which he/she would want to connect to the machine.
The other important theme of the invention is one which results in a “deploy and forget” model for this invention and is a major source of convenience and saving of resources for enterprises/consumers. Currently VA tools are run on specific times and as per specific schedules. Apart from missing the vulnerabilities that are manifested between two runs of the VA tool, the other problem that comes up because of the above is that a run of the VA tool may be redundant if there is no change in the vulnerability status of the network since the earlier run of the VA tool. This invention makes it possible to run a VA tool and further only those vulnerability tests from the VA tool only when they are required to be run, and this run is triggered automatically by the system. Thus, deploying a product based on this invention results in a “deploy and forget” model of invention, where the security administrator need to only deploy the tool once and then wait for alerts on new vulnerabilities. Issues such as when to run the vulnerability tests and to what extent is taken care of by the tool by itself. This then is the other theme of this invention.
Related Work:
As regards the first theme of the invention, there has been related work in areas such as vulnerability assessment [5,9,10,11]{[“System and method for rules-driven multi-phase network vulnerability assessment” U.S. Pat. No. 6,324,656, Nov. 27, 2001, Gleichauf, et al., Cisco Technologies Inc.], [“Method and system for adaptive network security using intelligent packet analysis” U.S. Pat. No. 6,499,107, Dec. 24, 2002, Gleichauf, et al., Cisco Technologies, Inc.], [“Method and system for adaptive network security using network vulnerability assessment” U.S. Pat. No. 6,301,668, Oct. 9, 2001, Gleichauf, et al, Cisco Technologies, Inc.], [“System and method for real-time insertion of data into a multi-dimensional database for network intrusion detection and vulnerability assessment”, U.S. Pat. No. 6,282,546, Aug. 28, 2001, Gleichauf, et al, Cisco Technologies, Inc.],}[5] [“System and method for rules-driven multi-phase network vulnerability assessment” U.S. Pat. No. 6,324,656, Nov. 27, 2001, Gleichauf, et al., Cisco Technologies Inc.] relates to doing vulnerability assessment using a multi-dimensional database. It does not track the changes in the vulnerability status of the host/device due to start and stop of services in real-time, and incorporate it into its multi-dimensional database. [11] [“System and method for real-time insertion of data into a multi-dimensional database for network intrusion detection and vulnerability assessment”, U.S. Pat. No. 6,282,546, Aug. 28, 2001, Gleichauf, et al, Cisco Technologies, Inc.] has a facility for real-time insertion of data feed into the database, but it is picked up from data processed by an intrusion detection system. Real-time tracking of start and stop of services for purposes of real-time vulnerability assessment is not part of the above.
Qualys [6] [“Qualys First to Provide Real-Time Vulnerability Assessment for Check Point Firewalls” http://www.checkpoint.com/press/partners/2002/qualys032502.html] claims to do a vulnerability scan of a network when a configuration of a firewall (specifically Checkpoint firewall) deployed in the network is changed. A firewall is not a network service; (a network service is a service that involves to and from communication with another entity across the network.) A firewall is basically a filter meant to secure the network. Also, since a firewall is a security service, it is obvious that a change in firewall configuration will change the vulnerability status of the network. What is subtle and non-obvious however is that vulnerability status of the network can change anytime a new network service is started on a host or the configuration of any network service running on the host is changed.
There is also work done in the area of execution monitoring of applications [7] [Automated Detection of Vulnerabilities in Privileged Programs by Execution Monitoring”, Ko et al., Proc. of the 10th Annual Computer Security Applications Conference, Orlando, Fla. (found at http://seclab.cs.ucdavis.edu/papers.html), 1994] but this work relates to finding out whether these services whose execution is being monitored are compromised due to vulnerabilities present in them, by checking their execution traces. This invention is different in the sense that the present invention does not monitor the execution trace of the application. The present invention signals the beginning or the reconfiguration of the application and then trigger a vulnerability assessment tool which will check for potential vulnerabilities in the service, and not for actual compromises. The former work comes under the area of intrusion detection while the present invention comes under the area of near real-time vulnerability assessment.
Other work peripherally related is in the area of patch management [8,12] {[http://www.patchlink.com], [“Non-invasive off-site patch fingerprinting and updating system and method”, United States Patent Application, 20020100036, Jul. 25, 2002, Moshir Sean et al, Patchlink.com Corporation]}. Patchlink is a company which has a patch management product. The product does a Vulnerability assessment on the enterprise host, and updates various software installed on the host with patches. The closest Patchlink's product comes to a feature of the present invention is their patch-compliance feature wherein if the feature is invoked, the patchlink product tracks if any of the patches deployed have been rolled back. Thus, there seems to be a real-time tracking of rollback of patches which is a small part of tracking whether a service is reconfigured.
There is also work done in the area of real-time vulnerability assessment [13] [“Network vulnerability assessment system and method”, United States Patent application, 20030028803, Feb. 6, 2003, Bunker Nelson Waldo V. et al]. However, the real-time here does not refer to real time tracking of the beginning of services.
As regards the second theme of the invention, Qualys has a web services model for its vulnerability assessment offering where they do an ‘on demand’ vulnerability assessment. Here, the security administrator can give inputs to Qualys on when he/she wants their vulnerability assessment tool—which is launched from a web-server on the network—to run. However, this is different from the ‘deploy and forget’ model of the present invention which is a ‘run when the system requires it’ model which runs only those vulnerability assessment tests which are needed, and when they are needed. This need is determined not arbitrarily or wishfully by the security administrator but is determined by which services are started at what time, and thus by change in the vulnerability status of the system. Thus, the present invention does a more optimal job, not to mention that an ‘on demand’ model can miss vulnerabilities which the present invention cannot.
[17] [“System and method for network vulnerability detection and reporting”, United State patent application, 20040015728, Cole David M, Hanzlik Dennis J., Filed Mar. 10, 2003] is an invention that is about an improved way of doing vulnerability assessment. [16] [“Tightly integrated cooperative telecommunications firewall and scanner with distributed capabilities”, U.S. Pat. No. 6,226,372, Beebe, et al, May 1, 2001] combines firewall and scanner technology.